b'Pension Benefit Guaranty Corporation\n     Office of Inspector General\n            Audit Report\n\n\n\n\n     AUTHORIZATION TO OPERATE\n     PBGC INFORMATION SYSTEMS\n\n\n\n\n           August 18, 2010\n                             AUD-2010-08 / IT-09-70\n\x0c                                Pension Benefit Guaranty Corporation\n                                                               Office of Inspector General\n                                                1200 K Street, N.W., Washington, D.C. 20005-4026\n\n\n\n                                                                          August 18, 2010\n                                      AUDIT REPORT\n\nTO:             Richard Macy\n                Acting Chief Information Officer\n\n\nFROM:           Joseph A. Marchowsky\n                Assistant Inspector General for Audit\n\nSUBJECT:        Authorization to Operate PBGC Information Systems\n                Audit Report: AUD- 2010-8/ IT-09-70\n\n\nDuring our FY 2009 Federal Information Security Management Act (FISMA) review, we\nbecame aware that PBGC was operating its information technology general support systems and\nmajor applications without the necessary authorizations to operate (ATOs), as required by Office\nof Management and Budget (OMB) Circular A-130 and FISMA. The ATO is intended to\ndocument the official management decision made by a senior agency official to allow operation\nof a system and to explicitly accept the risk to agency operations, assets, or individuals based on\nthe implementation of an agreed-upon set of security controls. However, due to fundamental\nweaknesses in PBGC\xe2\x80\x99s information technology (IT) infrastructure and PBGC\xe2\x80\x99s ineffective\ncertification and accreditation (C&A) process, PBGC senior management officials did not have a\nvalid basis on which to authorize continued operation of PBGC\xe2\x80\x99s information technology\nsystems.\n\nOur March 22, 2010 FISMA evaluation report, prepared by Clifton Gunderson LLP under\ncontract to PBGC OIG, described how PBGC\xe2\x80\x99s systemic security control weaknesses posed an\nincreasing and substantial risk to PBGC\xe2\x80\x99s ability to carry out its mission. We also noted that\nPBGC\xe2\x80\x99s management was starting to take actions to correct some of the reported control\nweaknesses. During our oversight activities relating to the FISMA evaluation, we became aware\nthat some PBGC systems were operating without the required authorizations. Thus, OIG\ninitiated this audit to determine the extent of the issue and to document our findings and\nrecommendations.\n\nPBGC is in a difficult position with respect to authorizing operation of its general support\nsystems and other major applications. Because an ATO must be supported by a complete C&A\ndocument, PBGC must address weaknesses in the C&A process before its systems can be\nappropriately authorized. OMB guidance does not provide for agencies to issue \xe2\x80\x9cconditional\xe2\x80\x9d or\n\xe2\x80\x9cinterim\xe2\x80\x9d ATOs. In theory, an agency should not operate an information technology system\n\x0cAuthorization to Operate PBGC Information Systems                                                            2\nAudit Report No. 2010-8/ IT-09-70\n\nunless it has been properly certified and accredited. However, because PBGC information\nsystems are indispensable to the achievement of the agency mission, suspension of their use is\nnot a practicable alternative at this time. Thus, we are recommending that PBGC seek from\nOMB a waiver allowing conditional authorization, based on PBGC\xe2\x80\x99s ongoing efforts to improve\ninformation security. While this option is less than ideal, other alternatives (e.g., ceasing use of\nthe information technology systems until existing problems are remediated) would likely pose an\neven greater risk for PBGC\xe2\x80\x99s ability to meet its statutory mission.\n\nBackground\n\nThe purpose of an IT system security plan is to provide an overview of the security requirements\nof the system and describe the controls in place or planned for meeting those requirements.\nUpdating the system security plan is a part of security accreditation known as Certification and\nAccreditation (C&A). The authorization to operate (security accreditation) is required by OMB\nCircular A-130, Appendix III. Security accreditation provides a form of quality control and\nchallenges managers and technical staff at all levels to implement the most effective security\ncontrols possible for an information system, given mission requirements, technical constraints,\noperational constraints, and cost/schedule constraints.\n\nAccreditation requires senior agency officials to affirmatively decide to authorize information\nsystems operation and to explicitly accept the risk to agency operations, assets, or individuals\nbased on the implementation of an agreed-upon set of security controls. Agency officials must be\ngiven the most complete, accurate, and trustworthy information possible concerning the security\nstatus of their information systems in order to make timely, credible, risk-based decisions on\nwhether to authorize operation of those systems. By authorizing processing in a system, the\nmanager accepts its associated risk.\n\nThe assessment of risk and the development of system security plans are two important activities\nin an agency\xe2\x80\x99s information security program that directly support security accreditation. Since\nthe system security plan establishes and documents the security controls, it should form the basis\nfor the authorization, supplemented by the assessment report and the plan of action and\nmilestones. Reauthorization should occur whenever there is a significant change in processing,\nbut at least every three years.1\n\nObjective, Scope and Methodology\n\nOur objective was to determine whether (1) each of the PBGC general support systems (GSS)\nand major applications had a current Authorization to Operate (ATO) and (2) the Corporation\nhad remediated identified vulnerabilities in a timely manner. To meet our objective, we reviewed\nthe ATO documentation submitted with the Fiscal Year (FY) 2008 Certification and\nAccreditation (C&A) packages; requested any updated ATOs completed in FY 2009 and FY\n2010 to date; reviewed Government regulations and standards, PBGC security policy and\ninternal control standards; and interviewed PBGC management and staff.\n\n\n1\n NIST Special Publication 800-18 Rev.1, Guide for Developing Security Plans for Information Systems, dated\nFebruary 2006.\n\x0cAuthorization to Operate PBGC Information Systems                                                 3\nAudit Report No. 2010-8/ IT-09-70\n\nWe conducted this performance audit in accordance with generally accepted government\nauditing standards (GAGAS). Those standards require that we plan and perform this audit to\nobtain sufficient, appropriate evidence to provide a reasonable basis for our findings and\nconclusions, based on our audit objectives. We believe that the evidence obtained provides a\nreasonable basis for our findings and conclusions based on our audit objective. The audit was\nconducted between September 2009 and June 2010.\n\nDetails\n\nPBGC continued to operate IT general support systems and major applications without\nremediating known high and medium vulnerabilities. We observed during our FY 2009 FISMA\nreview that the Corporation\xe2\x80\x99s entity-wide security program lacked focus and a coordinated effort\nto resolve deficiencies. As a result, sensitive and critical resources were not adequately protected\nbecause identified vulnerabilities had not been corrected.\n\nDuring our oversight of the annual FISMA evaluation, OIG became aware of potential problems\nwith the ATOs. OIG, therefore, initiated an audit of the ATOs for PBGC\xe2\x80\x99s two general support\nsystems and twelve major applications. We determined that out of the 14 systems, only three had\na current ATO. Without remediation of all the high and 50% of the moderate vulnerabilities, the\nremaining eleven systems did not have valid authorizations to operate. In May 2010, senior\nPBGC officials confirmed that no new ATOs had been issued since the documents we received\nas part of the FY 2008 C&A process.\n\nSpecifically we observed that:\n\n\xe2\x80\xa2   PBGC continued to use systems with unremediated vulnerabilities. Some of the\n    vulnerabilities had been identified as long ago as December 2007.\n\n\xe2\x80\xa2   \xe2\x80\x9cConditional\xe2\x80\x9d as opposed to \xe2\x80\x9cauthorized\xe2\x80\x9d approvals had been granted because of the\n    significant number of high and medium unresolved vulnerabilities. For nine systems, PBGC\n    senior officials granted a conditional ATO and allowed continued operation although high\n    and medium vulnerabilities had not been remediated. On August 20, 2009 OMB issued\n    Memorandum M-09-29 which states that OMB does not recognize an interim authorization\n    to operate, as doing so would be counter to FISMA\xe2\x80\x99s goals. Some of the conditional ATOs\n    issued by PBGC were signed in March 2008, prior to the specific prohibition on conditional\n    ATOs.\n\n\xe2\x80\xa2   In December 2007, the certifying agent, information system owner, and Information\n    Systems Security Officer (ISSO) concluded that two major systems \xe2\x80\x93 My Pension Benefit\n    Account (MyPBA) and eTalk-Qfiniti \xe2\x80\x93 should be denied an approval to operate, pending\n    remediation of all \xe2\x80\x9cHigh\xe2\x80\x9d rated items and at least half of all \xe2\x80\x9cModerate\xe2\x80\x9d rated items. For\n    each of the systems, the reviewers had concluded \xe2\x80\x9cwe certify that the safeguards designed,\n    developed, and implemented have not demonstrated the necessary security to reduce the risk\n    of operating the aforementioned system to an acceptable level.\xe2\x80\x9d [emphasis in original]\n\x0cAuthorization to Operate PBGC Information Systems                                                                              4\nAudit Report No. 2010-8/ IT-09-70\n\nNational Institute of Standards and Technology (NIST)2 Special Publication 800-30 states that:\n\n\xe2\x80\x9cIf an observation or finding is evaluated as a high risk, there is a strong need for corrective\nmeasures. An existing system may continue to operate, but a corrective action plan must be put\nin place as soon as possible...\xe2\x80\x9d PBGC Certifying and Accrediting authorities initially agreed on\nplans for remediation that would be accomplished in a timeframe of 90 days to 6 months. In most\ninstances, however, the milestones were not met and the interim ATO was renewed or allowed to\nexpire without further action.\n\nThe same publication also describes the magnitude of impact for the exercise of a High\nvulnerability: \xe2\x80\x9c(1) may result in the highly costly loss of major tangible assets or resources; (2)\nmay significantly violate, harm, or impede an organization\xe2\x80\x99s mission, reputation, or interest.\xe2\x80\x9d\n\nVolume 4 Section I: 1.6.4 of PBGC\xe2\x80\x99s Information Assurance Handbook states that IT Security\nmanagement has oversight responsibilities with respect to certification and accreditation. Those\nresponsibilities include:\n\n\xe2\x80\xa2   Ensuring that all information security requirements are properly addressed by each\n    information system to ensure compliance with Federal, and PBGC policies and procedures.\n\n\xe2\x80\xa2   Working closely with the Information System Owner and Senior Agency Information\n    Security Officer (SAISO) to manage information security self-assessments and monitor\n    corrective action on findings of new weaknesses.\n\nAs part of our review we interviewed the system owner for the general support systems, who was\nnot aware of the current ATO status. We also analyzed the Plan of Action and Milestone\n(POA&M) for the two general support systems and determined that 13 high vulnerabilities were\nstill outstanding but in some state of remediation. The ISSO asserted that a new ATO had been\nsigned for the general support systems. When we attempted to corroborate the ISSO\xe2\x80\x99s statement\nby reviewing the new ATO, the ISSO stated that that he could not provide the document because\nthe signed ATO was in the office of a PBGC employee who was on leave. We continued to\nfollow up on the issue and determined that a new ATO had not been completed, despite the\nISSO\xe2\x80\x99s assertions to the contrary.\n\nThe failure to timely remediate the previously identified high and moderate level risks left PBGC\nat risk of significant harm to its ability to meet its mission and to its reputation. In addition,\nbecause the systems continue to operate without correction of the vulnerabilities, the Corporation\nis not fully compliant with FISMA, OMB Circular A-130 Appendix III, and NIST requirements.\n\n\n\n\n2\n FISMA assigned the responsibility for developing IT security standards and guidelines to the National Institute of Standards and\nTechnology of the Department of Commerce (see Federal Information Security Management Act of 2002, H.R. 2458).\n\x0cAuthorization to Operate PBGC Information Systems                                                                           5\nAudit Report No. 2010-8/ IT-09-70\n\nWe recently reported that PBGC was unable to provide an up-to-date and consolidated Plan of\nAction and Milestones (POA&M). 3 The lack of an up-to-date POA&M, in turn, resulted in\nidentified security deficiencies not being tracked and monitored to ensure their prompt\nremediation. PBGC agreed with our recommendations to develop a consolidated POA&M,\nincluding tracking milestones and independently validating POA&M activities.\n\nAs a result of our work, we made four recommendations to PBGC.\n\nOIG RECOMMENDATION\n\nRequest a waiver from OMB to allow for continued operations of information technology\nsystems, despite the presence of unremediated vulnerabilities and the absence of an effective\ncertification and accreditation process. (OIG Control Number OIT-108)\n\nPBGC RESPONSE\n\nPBGC agreed that it is important to keep OMB apprised of the status of their systems and noted\nthat they have briefed both OMB and the PBGC Board of their plans. However, PBGC\ndetermined that they would not seek a formal waiver or conditional certification because OMB\nhad not requested that they do so. PBGC noted its commitment to keeping their stakeholders\napprised of progress as their plans are implemented. Further, PBGC noted that they were\nfollowing advice provided by an OMB approved Federal Information Systems Security Line of\nBusiness. The Corporation requested that OIG accept PBGC\xe2\x80\x99s briefings to OMB on this issue as\nwell as PBGC\xe2\x80\x99s assertion that they are following an OMB approved Information Systems\nSecurity Line of Business\xe2\x80\x99 advice as an alternative corrective action for this recommendation.\n\nOIG EVALUATION\n\nWe accept PBGC\xe2\x80\x99s proposed alternative corrective action. We will continue to monitor PBGC\xe2\x80\x99s\nprogress in completing new authorizations to operate. If it becomes apparent that PBGC will not\nbe able to timely complete the C&A process in accordance with FISMA we will request that\nPBGC reevaluate its position.\n\n\n\n\n3\n  PBGC OIG Report No. EVAL-2010-7/FA-09-64-7, Fiscal Year 2009 Federal Information Security Management Act (FISMA)\nIndependent Evaluation Report, dated March 22, 2010 completed by an independent public accounting firm under contract and\ndirection of OIG.\n\x0cAuthorization to Operate PBGC Information Systems                                             6\nAudit Report No. 2010-8/ IT-09-70\n\nOIG RECOMMENDATION\n\nDevelop a comprehensive corrective action plan to remediate all the high and moderate\nvulnerabilities remaining on the PBGC network. (OIG Control Number OIT-109)\n\nPBGC RESPONSE\n\nPBGC agreed with the recommendation. The action will be part of the C&A approach that\nPBGC is working with the Bureau of Public Debt (BPD). Additionally, PBGC noted the need to\nre-baseline the current list of vulnerabilities because of the many infrastructure and system\nchanges that have occurred since the vulnerabilities were first identified.\n\nOIG EVALUATION\n\nWe concur with PBGC\xe2\x80\x99s response.\n\nOIG RECOMMENDATION\n\nEnsure that an individual takes ownership and provides oversight of the remediation process and\nvalidates corrective actions are completed by the target dates. (OIG Control Number OIT-110)\n\nPBGC RESPONSE\n\nPBGC agreed with this recommendation and deemed that the Acting Chief Information Officer\nwas best positioned to address these responsibilities.\n\nOIG EVALUATION\n\nWe concur with PBGC\xe2\x80\x99s response.\n\x0cAuthorization to Operate PBGC Information Systems                                                   7\nAudit Report No. 2010-8/ IT-09-70\n\nOIG RECOMMENDATION\n\nEnsure all ATOs are updated accurately to reflect the current system security state and status of\nthe POA&M\xe2\x80\x99s. (OIG Control Number OIT-111)\n\nPBGC RESPONSE\n\nPBGC agreed with this recommendation. As ATOs are completed, with the assistance of BPD,\nthe ATOs will accurately reflect the current system security state and status of POA&Ms when\nthe ATOs are signed.\n\nOIG EVALUATION\n\nWe concur with PBGC\xe2\x80\x99s response.\n\x0cAuthorization to Operate PBGC Information Systems           8\nAudit Report No. 2010-8/ IT-09-70\n\n                                                    Appendix A\n                                   PBGC Response\n\x0cAuthorization to Operate PBGC Information Systems   9\nAudit Report No. 2010-8/ IT-09-70\n\x0cIf you want to report or discuss confidentially any instance\n of misconduct, fraud, waste, abuse, or mismanagement,\n      please contact the Office of Inspector General.\n\n\n\n                       Telephone:\n            The Inspector General\xe2\x80\x99s HOTLINE\n                    1-800-303-9737\n\n  The deaf or hard of hearing, dial FRS (800) 877-8339\n   and give the Hotline number to the relay operator.\n\n\n\n                           Web:\n       http://oig.pbgc.gov/investigation/details.html\n\n\n\n                         Or Write:\n          Pension Benefit Guaranty Corporation\n               Office of Inspector General\n                     PO Box 34177\n             Washington, DC 20043-4177\n\x0c'